0262579f2e
[3.2.x] Added CVE-2021-32052 to security archive.
...
Backport of efebcc429f
2021-05-06 10:03:45 +02:00
2d2c1d0c97
[3.2.x] Fixed #32713 , Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+.
...
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.
[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603e1e81aa1c4
2021-05-06 08:48:22 +02:00
364098fdac
[3.2.x] Fixed #32714 -- Prevented recreation of migration for Meta.ordering with OrderBy expressions.
...
Regression in c8b659430596f55ccf79
2021-05-05 08:44:37 +02:00
df801dde33
[3.2.x] Added CVE-2021-31542 to security archive.
...
Backport of 607ebbfba962b2e8b37e
2021-05-04 11:10:50 +02:00
04d8ed3660
[3.2.x] Added stub release notes for Django 3.2.2.
...
Backport of 5a43cfe245
2021-05-04 11:02:11 +02:00
c98f446c18
[3.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
2021-05-04 08:43:52 +02:00
bac416972d
[3.2.x] Refs #32674 -- Noted that auto-created through table PKs cannot be automatically migrated.
...
Backport of 907d3a7ff4
2021-04-29 15:14:15 +02:00
d5add5d3a2
[3.2.x] Fixed #32632 , Fixed #32657 -- Removed flawed support for Subquery deconstruction.
...
Subquery deconstruction support required implementing complex and
expensive equality rules for sql.Query objects for little benefit as
the latter cannot themselves be made deconstructible to their reference
to model classes.
Making Expression @deconstructible and not BaseExpression allows
interested parties to conform to the "expression" API even if they are
not deconstructible as it's only a requirement for expressions allowed
in Model fields and meta options (e.g. constraints, indexes).
Thanks Phillip Cutter for the report.
This also fixes a performance regression in bbf141bcdcc8b6594305
2021-04-28 20:27:42 +02:00
55cb3c8ac1
[3.2.x] Fixed #32687 -- Restored passing process’ environment to underlying tool in dbshell on PostgreSQL.
...
Regression in bbe6fbb8766e742dabc9
2021-04-27 12:02:06 +02:00
34981f399a
[3.2.x] Fixed #32682 -- Made admin changelist use Exists() instead of distinct() for preventing duplicates.
...
Thanks Zain Patel for the report and Simon Charette for reviews.
The exception introduced in 6307c3f1a11871182031
2021-04-27 10:39:55 +02:00
0dfe88eaba
[3.2.x] Fixed #32681 -- Fixed VariableDoesNotExist when rendering some admin template.
...
Regression in 84609b32054e5bbb6ef2
2021-04-26 12:52:33 +02:00
48e19bae49
[3.2.x] Fixed #32650 -- Fixed handling subquery aliasing on queryset combination.
...
This issue started manifesting itself when nesting a combined subquery
relying on exclude() since 8593e162c9#27149 ).
Thanks Raffaele Salmaso for the report.
Backport of 6d0cbe42c3
2021-04-21 10:32:39 +02:00
1cc2eaf02d
[3.2.x] Fixed #32665 -- Fixed caches system check crash when STATICFILES_DIRS is a list of 2-tuples.
...
Thanks Jared Lockhart for the report.
Regression in c36075ac1d34d1905712
2021-04-21 09:42:43 +02:00
54d5bfa9c5
[3.2.x] Fixed #32647 -- Restored multi-row select with shift-modifier in admin changelist.
...
Regression in 30e59705fc5c73fbb6a9
2021-04-21 09:08:34 +02:00
539d005aa5
[3.2.x] Fixed #32643 -- Fixed decoding of messages in the pre-Django 3.2 format.
...
Thanks Jan Pieter Waagmeester for the report.
Regression in 2d6179c8194511d14598
2021-04-15 07:58:48 +02:00
208e72276a
[3.2.x] Fixed #32645 -- Fixed QuerySet.update() crash when ordered by joined fields on MySQL/MariaDB.
...
Thanks Matt Westcott for the report.
Regression in 779e615e36ca98729055
2021-04-14 21:13:27 +02:00
d0267690f8
[3.2.x] Fixed #32548 -- Fixed crash when combining Q() objects with boolean expressions.
...
Backport of 00b0786de5466920f6d7
2021-04-14 19:46:45 +02:00
65dfb06a1a
[3.2.x] Fixed #32648 -- Fixed VariableDoesNotExist rendering sitemaps template.
...
Backport of 08c60cce3b
2021-04-14 19:44:10 +02:00
59cce8237c
[3.2.x] Fixed #32649 -- Fixed ModelAdmin.search_fields crash when searching against phrases with unbalanced quotes.
...
Thanks Dlis for the report.
Regression in 26a413507a23fa29f6a6
2021-04-14 12:24:11 +02:00
700356f93b
[3.2.x] Fixed #32635 -- Fixed system check crash for reverse o2o relations in CheckConstraint.check and UniqueConstraint.condition.
...
Regression in b7b7df5fbca77c9a4229
2021-04-14 10:32:07 +02:00
d6314c4c2e
[3.2.x] Fixed #32637 -- Restored exception message on technical 404 debug page.
...
Thanks Atul Varma for the report.
Backport of 3b8527e32b
2021-04-13 09:15:25 +02:00
b245845575
[3.2.x] Fixed #32627 -- Fixed QuerySet.values()/values_list() crash on combined querysets ordered by unannotated columns.
...
Backport of 9760e262f8
2021-04-13 06:16:19 +02:00
49e618f4af
[3.2.x] Fixed #32620 -- Allowed subclasses of Big/SmallAutoField for DEFAULT_AUTO_FIELD.
...
Backport of 45a58c31e6
2021-04-08 13:44:21 +02:00
55da04488e
[3.2.x] Corrected release number format in 3.2.1 release notes.
...
Backport of 3f2920ae1d
2021-04-07 19:45:29 +02:00
5eb17d31c3
[3.2.x] Fixed #32544 -- Confirmed support for GDAL 3.2 and GEOS 3.9.
...
Backport of e3cfba0029
2021-04-07 17:04:10 +02:00
a3a4a0baa3
[3.2.x] Corrected wrapping in 3.2 release notes.
...
Partially reverts 0802b404a25b05a45c62
2021-04-07 07:28:09 +02:00
2e8ff5f902
[3.2.x] Added stub release notes for Django 3.2.1.
...
Backport of df0a9e6d5c
2021-04-06 11:50:23 +02:00
8df29fc733
[3.2.x] Added release date for Django 3.2.
...
Adjusted wrapping in release notes where needed.
Backport of 0802b404a2
2021-04-06 11:21:32 +02:00
011b92ce98
[3.2.x] Updated asgiref dependency for 3.2 release series.
...
Backport of 5aea50e57f
2021-04-06 10:43:40 +02:00
29e2df24e7
[3.2.x] Added CVE-2021-28658 to security archive.
...
Backport of 1eac8468cb
2021-04-06 09:45:23 +02:00
2820fd1be5
[3.2.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.
...
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.
Backport of d4d800ca1a
2021-04-06 08:24:01 +02:00
a118564ae1
[3.2.x] Refs #32105 -- Moved ExceptionReporter template paths to properties.
...
Refs #32316 .
Backport of 7248afe12f
2021-03-31 09:11:39 +02:00
46bdc3eaf0
[3.2.x] Fixed #32560 -- Fixed test runner with --pdb and --buffer on fail/error.
...
Backport of 45814af619
2021-03-17 21:51:27 +01:00
230d5b16b2
[3.2.x] Fixed typos in assertQuerysetEqual() docs and 1.6 release notes.
...
Backport of 0c7e880e13
2021-02-26 09:11:57 +01:00
904a889ccc
[3.2.x] Added stub release notes for 3.1.8.
...
Backport of e0f82d7992
2021-02-25 20:49:18 +01:00
76873b830c
[3.2.x] Updated links to DEPs.
...
Backport of 7cc6899d41
2021-02-25 17:27:32 +01:00
06905243a3
[3.2.x] Added CVE-2021-23336 to security archive.
...
Backport of ab58f07250
2021-02-19 11:03:38 +01:00
be8237c7cc
[3.2.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via django.utils.http.parse_qsl().
2021-02-19 09:15:09 +01:00
6897da6096
[3.2.x] Added documentation extlink for bugs.python.org.
...
Backport of d02d60eb0f
2021-02-17 14:25:54 +01:00
dd14e639ad
[3.2.x] Fixed #32431 -- Reversed order of security issues history.
...
Backport of 17a5e2cff6
2021-02-10 16:03:24 +01:00
afe34e7237
[3.2.x] Fixed typos in 3.2 release notes.
...
Backport of e17bdb953a
2021-02-04 09:56:58 +01:00
7d65889345
[3.2.x] Fixed #32403 -- Fixed re-raising DatabaseErrors when using only 'postgres' database.
...
Thanks Kazantcev Andrey for the report.
Regression in f48f671223f131841c60
2021-02-02 21:35:35 +01:00
b62e767b88
[3.2.x] Added stub release notes for 3.1.7.
...
Backport of 8d3c3a5717
2021-02-01 10:55:07 +01:00
10b25e6722
[3.2.x] Added CVE-2021-3281 to security archive.
...
Backport of f749148d62
2021-02-01 10:45:47 +01:00
f944f79e55
[3.2.x] Fixed CVE-2021-3281 -- Fixed potential directory-traversal via archive.extract().
...
Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.
Thanks Wang Baohua for the report.
Backport of 05413afa8c
2021-02-01 09:13:37 +01:00
d83249b0b9
[3.2.x] Fixed #32391 -- Used CSS flex properties for changelist filter.
...
Matched layout adjustment using flex from admin sidebar added in
d24ba1be7a269a767146
2021-01-28 15:52:59 +01:00
4dbbe37479
[3.2.x] Fixed #32348 , Refs #29087 -- Corrected tutorial for updated deleting inlines UI.
...
Updated tutorial to match change in 24e540fbd7f4272d000a
2021-01-27 08:47:27 +01:00
a5d70cca12
[3.2.x] Refs #32365 -- Allowed use of non-pytz timezone implementations.
...
Backport of 10d1261984
2021-01-19 12:00:40 +01:00
75182a800a
Removed empty sections and adjusted 3.2 release notes.
2021-01-14 14:58:28 +01:00
76ae6ccf85
Fixed #31358 -- Increased salt entropy of password hashers.
...
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
2021-01-14 11:20:28 +01:00
Mariusz Felisiak
Simon Charette
Carlton Gibson
Florian Apolloner
Konstantin Alekseev
Zain Patel
Jonathan Richards
Arthur Jovart
Hasan Ramezani
Iuri de Silvio
Adam Johnson
Claude Paroz
Carlton Gibson
William Schwartz
Jacob Walls
Markus Holtermann
Nick Pope
Dan Swain
Denis Skulimovskiy
Paul Ganssle
Jon Moroney